TurboTax Hit By Credential Stuffing Attack

An undisclosed number of TurboTax customer accounts have been compromised in a credential stuffing attack.

“Based on our investigation,” a notice told affected users, “…an unauthorized party may have accessed your account by using your usemame and password combination that was obtained from a non-Intuit source. The unauthorized access occurred [on/from] [date/date range]. By accessing your account, the unauthorized party may have obtained information contained in a prior year’s tax return or your current tax return in progress, such as your name, Social Security number, address(es), date of birth, driver’s license number and financial information (e.g._ salary and deductions), and information of other individuals contained in the tax return.”

Intuit is offering one year of free identity theft protection to affected customers, but vehemently denied that a breach took place.

“There has been NO data breach of Intuit’s systems. There was NO third party that accessed Intuit systems or accessed customer information stored in those systems… a customer’s account experienced unauthorized access by a third party using legitimate log-in credentials that Intuit believes were obtained from sources outside the company. The individual’s account login information may have been acquired from any number of sources outside of Intuit.”